Today we understand that your data is one of your most precious, strategic assets. But who truly owns or controls this valuable asset, especially when it’s shared with third parties?
Third party risk is becoming increasingly important – indeed, it was one of the hot topics at the recent Gartner Security & Risk Management Summit 2024.
The answer is more complex – and more interesting – than you may think. This article delves into the complexities of data ownership within a company, explores the implications of data sharing, and pinpoints who might be held accountable in the unfortunate event of a data breach.
The Elusive “Owner”: Data Governance within a Company
Unlike physical property, data ownership within a company isn’t always clear-cut. It’s more akin to a complex web of responsibility. While the company itself might be considered the ultimate “owner” from a legal standpoint, a concept known as data governance dictates who manages and controls specific datasets.
Data governance frameworks typically involve a triumvirate of key players:
- Data Owners: These are senior business representatives accountable for the quality, accuracy, and overall well-being of specific data sets. They ensure the data is used appropriately within their domain and make decisions about its access and usage.
- Data Stewards: These are the day-to-day champions of the data, often subject matter experts within a specific department. They understand the intricacies of the data, ensure its adherence to regulations, and act as a bridge between data users and data owners.
- IT Department: The IT department plays a crucial role in securing data storage, facilitating access controls, and implementing technical safeguards to prevent breaches.
Sharing the Data: The Third-Party Factor
The equation becomes even more complex when data is shared with third parties. Companies often share data with vendors, service providers, or even marketing partners to gain valuable insights or streamline operations. However, data sharing raises concerns about security and potential misuse.
There is a new type of attack called triple extortion ransomware that directly affects third parties.
A notable example is the case with Tipalti. ALPHV, the attackers, allegedly stole 265GB of data from Tipalti and demanded a ransom (double extortion).
However, upon examining the stolen files, the attackers discovered data belonging to Roblox, a much larger company.
Consequently, the attackers contacted Roblox and demanded a ransom from them as well.
In triple extortion ransomware attacks, the problem becomes more complex:
- Liability: The contract between Tipalti and Roblox allows for compensation to Roblox by Tipalti for an amount up to the yearly value of their contract – which will not cover Roblox’s expenses in this situation.
- Cyber insurance: Roblox will not be covered, and Tipalti’s insurance is likely insufficient compared to the needs in this case.
How would ITsMine protect third parties in this case?
With ITsMine, Roblox could enhance file storage security (e.g., a regular SharePoint site) by ensuring all documents shared between companies in this folder are owned by Roblox, in a dedicated Virtual Vault.
Utilizing features like File-GPS™ and FileTimeBomb™ , the files can exist outside the Virtual Vault only for a limited time, always remaining under Roblox’s full control.
In the event of a breach such as Tipalti’s, Roblox can:
- Close access to the Vault shared with Tipalti
- Disable files downloaded from the Vault within the last week
- Provide evidence to regulators that the data was not accessed by external sources, thereby avoiding fines for Roblox
The Legal Landscape: A Patchwork of Regulations
While data governance establishes internal control mechanisms, the legal landscape surrounding data ownership varies depending on the type of data, industry regulations, and even geographical location. Here’s a glimpse into some key considerations:
- Personal Data: A growing number of regulations worldwide, like the General Data Protection Regulation (GDPR) in the European Union (EU) and the California Consumer Privacy Act (CCPA) in the US, grant individuals ownership rights over their personal data. These regulations give users control over how their data is collected, used, and shared, and often mandate companies to obtain user consent before processing such data.
- Intellectual Property: Certain types of data, like customer lists or proprietary algorithms, might fall under intellectual property (IP) laws. This grants the company ownership rights and restricts unauthorized use of the data by third parties.
- Contractual Agreements: Data ownership can also be established through contracts. For instance, a company might collect data from another company through a partnership agreement, which would explicitly outline ownership rights and usage limitations.
Breaches and Responsibility: Who Gets the Blame?
Unfortunately, data breaches are a harsh reality of the digital age. In the event of a breach, determining who is responsible depends on the specific circumstances. Here are some possibilities:
- The Company: The company ultimately bears a significant portion of the responsibility for a data breach. They have a duty to implement robust security measures and ensure their data governance framework is effective. Legal repercussions for companies experiencing breaches can be severe.
- Third-Party Vendors: If a breach occurs due to a security lapse by a third-party vendor with access to the company’s data, the vendor might be held liable, depending on the terms of the contract.
- Individual Employees: In rare cases, individual employees who intentionally or negligently expose sensitive data might be held accountable].
The Rise of Encryption-Less Ransomware: A New Twist on Data Ownership
The concept of data ownership becomes even more critical with the rise of encryption-less ransomware attacks. Unlike traditional ransomware that encrypts a company’s data, encryption-less ransomware focuses on stealing sensitive information and threatening to expose it publicly unless a ransom is paid. This tactic bypasses the need for complex decryption processes, allowing attackers to act faster and potentially cause even greater damage.
Impact on Data Ownership:
- Shifting Focus: Encryption-less ransomware puts the spotlight on data ownership and responsibility. While traditional ransomware attacks rendered data inaccessible, encryption-less attacks directly target the data itself. This highlights the importance of companies understanding what data they possess, who has access to it, and how it’s being secured.
Similarly, in the event of a breach or an attempted breach, companies need to know exactly which files were compromised, and retain control over exfiltrated data. Again, this is where ITsMine comes in, but again, we’ll circle back to this shortly.
- Third-Party Risk: The reliance on third-party vendors for data storage or processing creates additional vulnerabilities in encryption-less ransomware scenarios. Companies are ultimately responsible for their data, even if it resides with a third party. This necessitates stricter due diligence when selecting vendors and ensuring they have robust security measures in place.
- Reputational Damage: The fear of reputational damage due to data exposure becomes a significant pressure point in encryption-less ransomware attacks. Companies that fail to adequately secure sensitive data, even if not directly responsible for the breach, can face severe consequences in the form of lost consumer trust and regulatory fines.
Addressing the Challenge:
- Instant Alerts: Companies need to be advised of any potential encryption-less attacks in real time.
- Full Disclosure: They will need a full list of the files the attacker took.
- Kill Files: Organizations need the ability to kill the most important files even if the attacker holds them on an external offline system.
By acknowledging the growing threat of encryption-less ransomware and taking proactive measures, companies can strengthen their data governance practices and better protect their valuable assets.
The Road Ahead: Navigating the Data Labyrinth
Data ownership and responsibility in today’s world are intricate concepts. Companies must navigate a complex web of internal governance structures, evolving regulations, and third-party interactions. Here are some key takeaways:
- Data Governance is Crucial: Establish a clear data governance framework that defines roles, responsibilities, and access controls for all data within the company.
- Understand the Data Landscape: Be aware of relevant regulations governing the types of data you collect and store.
- Secure Your Data: Implement robust security measures to safeguard your data from unauthorized access, breaches, and misuse. This includes encryption, access controls, and regular vulnerability assessments.
There’s no better partner for securing your data than ITsMine. With the company’s Encryption-less Ransomware Solution, organizations are able to access:
- Instant Alerts: ITsMine will alert in real time.
- Full Disclosure: Provides a full list of the files the attacker took.
- Kill Files: Kill most important files even if the attacker holds them on external offline system.
With Virtual Vaults, which includes proprietary technologies like FileGPS™ and FileTimeBomb™, ITsMine allows you to always be in full control of your sensitive files.
You can create multiple “Virtual Vaults” within your central file storage system – including OneDrive, Google Drive, Dropbox, NetApp and any Windows/Linux file storage – with just a few clicks. Any folder can instantly be transformed into the safest digital space within your organization within which every file is protected end-to-end, even beyond company boundaries.
Data is a powerful asset, but with great power comes great responsibility. By implementing a robust data protection solution, understanding the legal landscape, and prioritizing security, companies can navigate the complexities of data ownership and sharing while mitigating the risks of breaches and ensuring responsible data practices.